Most agencies have already protected their systems from a new Internet worm that exploits the same server flaw as the Code Red worm. The new worm installs a back door that leaves infected machines open to future exploitation.

Agencies last month scurried to patch government systems in anticipation of the resurgence of Code Red, which went into a monthly propagation phase July 31.

One week later there was only one reported incident of a new Code Red infection on a government machine, said Lawrence Hale, director of liaison for the Federal Computer Incident Response Center.

'The government was well-prepared for last week's propagation phase of Code Red,' Hale said. 'The same machines should be safe from the new variant. But for those machines that are not patched, the stakes have increased.'

The new worm installs a Trojan horse, a disguised piece of malicious code that opens a back door through which a hacker can enter at any time. Once in, the intruder can use the computer for any purpose.

The Code Red worm exploits a buffer overflow in the Microsoft Internet Information Server Indexing Service Dynamic Link Library on some versions of Windows NT and 2000. It installs a copy of itself, which then scans the Internet for new victims running unprotected versions of IIS.

Worm's lair sought

The new worm, although similar to Code Red, apparently can successfully infect only systems running Windows 2000, FedCIRC technical director Dave Jarrell said. NT crashes when it tries to execute it, he said.

As the new worm emerged on the Internet, federal law enforcement agencies continued searching for the source of Code Red, which began worming its way through the Internet last month, infecting hundreds of thousands of servers and targeting the White House Web site for a denial-of-service attack.

Ronald Dick, director of the FBI's National Infrastructure Protection Center, said both the FBI and the Secret Service are on the case, but that tracking the worm back to its origin is difficult.

The White House, Code Red's intended target, managed to sidestep the denial-of-service attack last month by changing its IP address. But researchers found that the worm apparently has a monthly lifecycle and is programmed to go into a propagation mode from the first through the 19th of every month.

Bandwidth buster

Although new copies of Code Red are programmed to attack the old White House IP address each month, the target site is not as important as the amount of Internet traffic that could be generated by the worm in its propagation phase, Dick said.

Microsoft Corp. reported millions of downloads of the IIS patch, which helped to minimize the impact of Code Red in its latest round. Jarrell credited the government and private-sector effort to alert users about the vulnerability as a chief reason for the worm's limited effect.

'The government seems to have done a good job of getting the word out and getting the patch in place,' he said.

The new worm, called variously Code Red II, CodeRed.C and Version 3, is not merely a new version of the worm.

It creates a Trojan copy of explorer.exe. When this is executed by Windows it brings up the real Explorer but disables file protection and opens a back door for the intruder.

Although it is simple to prevent the new worm from infecting a server, once it is infected the Trojan code is more difficult to get rid of than Code Red. The only effective way to disinfect a machine is to reformat the hard drive and reinstall a patched version of the operating system, Hale said.